Delete a banner using Kaspersky WindowsUnlocker
Today, the removal of ransomware viruses has become somewhat more complicated than before – many time-tested methods do not work. For example, now it’s unlikely that you can unblock a malicious program using code, rewind time in BIOS for several years, or calmly enter safe mode and use the registry editor. Solving the tricks of unscrupulous creators of Windows blockers, users have to learn more professional methods. Now, every person who faces the problem of removing the banner has a boot disk, with which you can cure the infected computer by importing a registry of the affected operating system. However, Kaspersky Lab has prepared a wonderful free tool specifically for dealing with various advertising modules, the use of which will significantly reduce time and effort in order to unlock the banner. In this article we will consider it in more detail. You can also study our main article about banner removal.
Create bootable media
To get started, you will need to download the image of the Kaspersky Rescue Disk boot disk, which comes with the necessary Kaspersky WindowsUnlocker utility. After that, you will need to create a boot disk or flash drive. In order to create a disc, you can use any program for cutting optical discs (Nero, Ashampoo Burning Studio and others). If you decide to make a bootable USB flash drive / USB drive (namely, this option is now most relevant), you will need to perform the following algorithm of actions:
get a USB drive with at least 256 megabytes of memory
format it in FAT16 or in FAT32
download a special program for recording a previously downloaded image onto a medium
run rescue2usb.exe file and select the necessary drive
press the “Start” button and wait for a message about recording completion
Delete the ransomware banner
On this, the creation of the boot image is completed and you can proceed directly to the removal of the banner. To do this, restart the computer, go into the BIOS (usually called using the F2 or Del keys) and select the one we created as the boot disk. In the process of loading the image for more comfortable work, select the Russian language and graphic mode, you will also need to accept the terms of the agreement from the software manufacturer. After successfully loading the system, you will need to call the terminal by clicking the button in the lower left corner of the screen. When the terminal is loaded, enter the windowsunlocker command and press Enter on the computer keyboard and follow the instructions – to unlock the registry, you will need to press 1 and Enter, to exit, enter 0. Kaspersky Lab, after cleaning the registry, also recommends running a full computer scan using Rescue Disk whose shortcut can be found on the desktop.
However, it happens that the utility does not help and after loading into the “native” operating system the banner remains in its place. This tells us that he registered more cleverly, but in this case the boot image will be very useful, as it has a built-in registry editor (the shortcut is on the desktop if you used the graphical mode. Using the registry editor manually check the following paths:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Winlogon
Here you need to check three parameters:
Shell parameter must be Explorer.exe
UIHost parameter must be set to logonui.exe
Userinit must be set to C: \ Windows \ system32 \ userinit.exe
If any of the parameters has an incorrect value, it should be corrected manually. The same should be done further if you find a mismatch.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
In this thread, each parameter is responsible for automatically loading applications when Windows starts, so if a program seems suspicious to you, turn it off. As a rule, executable files of suspicious programs are located on the boot disk, in user folders or in the Temp folder.
Similarly, we check the following two registry branches for specific users (if the user is not one, check for each)
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
After successfully getting rid of the banner, it is recommended to check all disks with anti-virus software. This article is completed and we hope that the information provided was useful to you.